Introduction
Malicious code is a broad term that refers to any type of computer software, standalone or embedded, designed to perform some type of unauthorized
or undesirable activity. This includes viruses, worms, trojan horses, and other executable files and scripts that intentionally or unintentionally perform
unauthorized activities or act in a malicious manner. Detailed analysis of this code can provide specific information regarding how malicious code is introduced
and propagates on our networks and how we can better protect our systems from it.
Back to Top
The Task of Malicious Code Analysis
Malicious code analysis is broad scoped process with the goal of fully understanding how the code affects systems and networks. This
includes not only what the code does, but how it does it. The methodology has a number of phases. Surface analysis of the code is the most straightforward
activity, involving a cursory examination of the executable file itself to identify it's basic characteristics and any recognizable content.
The next phase involves actually running the code in a controlled, closely monitored, isolated test environment. This allows the analyst to observe the
behavior of the malicious code both on the local host and across the network. Flexibility of the test environment is critical because different network and
system configurations may cause the code to act differently. If the code tries to connect to a SMTP, DNS, or IRC server the network needs to provide those
resources, in the same format and addressing scheme that the code expects, so that the analyst can observe the full performance of the malicious program.
Detailed system and network monitoring tools are employed to thoroughly audit every action of the code.
Finally comes the most difficult stage of malicious code analysis - reverse engineering the code; that is, breaking down the binary code to identify
the low-level instructions that are executed. This type of analysis may reveal actions performed by the code that were undetectable by the monitoring tools
used earlier. While extremely difficult, this is the "holy grail" of malicious code analysis; virtually deriving the source code from a binary.
Back to Top
Malicious Code Lab
The DoD-CERT operates a malicious code lab as part of its large analysis and test network. The environment is designed to be flexible, scalable, and rapidly
reconfigurable. This allows analysts to quickly reconfigure and restore different systems as malware execution affects the normal configurations.
Back to Top
Code Submittals
The DoD-CERT welcomes the submittal of suspected or confirmed viruses and other types of malicious code from our DoD customers. This type of information is
especially important if you come across a seemingly new virus, or a particularly evasive or destructive piece of code. The submittal procedure is as follows:
Identify any and all files associated with the malicious code. This could be a single email attachment that was caught by anti-virus software or a set of
files that were generated by the code on a completely infected machine.
Add the files to a zipped archive and password protect it with the password "infected". This will ensure that the code does not set off more alarms
when submitted via email.
Email the password-protected, zipped file to "virus_submit@cert.mil"
Back to Top